b'      United States \' partrne t of _tate\n    d      roadc;oI$ting Boanl of Governors\n        ,O ffice ,o f Inspector \'G ene.raJ\n\n\n\n\n               IOffice of Aud its \n\n\n  Review of the Inforation Sec:urity\n  Program at the Broadcastin g Board\n            of Governo s\n\n\n\n\nReport        umber               UD{IT~Oa~37 ,                   Oc:tobe\'r 2008\n\n\n\n\n   :;.u """"" ll \' =c.d           oly \'Or ~ oCicuJ .q.e Jl , ~ ~~"\'" o( _~ 3t \':be\n   .B             _ 3a11\'1! oL .............. or ...,. IIJ=IOY .. JI11II1BI,"m =\'\'\'\'\'IDI I CD1111\n   ~! -             ~.!ij,;.. f~ Gon -. \'4> .mmdar-, dimtlltrl>I!C !1liiy M\n   ""\'GO. \'" .. ~... OJ irI port. ...mae ICC Dq:a:m:n, ,fS~ QI\'..r... ElrDlld_\n   Bomr.I 0(00,=", by:h= .. by otll"" ~e:: .. tit ~on;, >iItMUl FrI..r\n   .U1h r=ro. by ili~ tMl"""m Gcru::al. PuIillo ~iliiy oi t.Il~ .jo=m= \'NIlI boo\n   Jc;..-m ..: : the                  - \xe2\x80\xa2 W14er!!IJc 1.\'.,). C-! 1,;.:5.c. B::\' ImpMlpt!!\'\n                       """\'It\n   ll!dO.I.I\'.. \xc2\xbbi llruI              ,""",11Jl <nmJIIII. ....."11. or ~ iI=ffi=.\n\n\n\n\n                                LTL                    GlED \n\n\x0c                                                              C1Iited calC\'! Dcp.tnmel!lt of l:I.re\n                                                              utd [be 8tmidcasting Baud a r Go"..rnon\n\n\n\n\n                                              PREFACE\n\n        Th:is repon \xe2\x80\xa2 preflllM! Dl\' the Offiell of lM~or G~tlUiII lorG ) p \' 1\'1lu::mJ 10 the\nlnspCCI!.}t Geoer:l.ll:..a of 1978. :IS amend<!d, Set:ucl1_09 o( lIle forci8!1 )0\'.\'1C!l . .I.ct at\'\xc2\xb7 9 0,\n~ Amls Caatrol <!TId Dt=!Mllt \\m.endmer.~ Act or 1 9~\'i, ;mri 1J.: ikpanmnlI cf Smte !DId\nRc!otU:<l Ag~o::i=! Appooprimi(ll!5 Act, FY l Q96, II i! (1\xc2\xa3 af \' St:r.cS oJl aWit. IIlI)XCUon.\nin.....niptl\'<e. ilia $t;liII ~ jm;par:>:! ~ DIG p-etiC)lfi<:;l[l: ~         . 01113 a~ I!rnIPIi\n""~pcnsibi1try ",ili1 rt!Spo:1:t to 1h.: ~(m. o)f Stllt: lJ\'ld lite BmI!CCltm"IJ Boartf "i GG,\'m:nod\nto ldmmly and preV\'lfU tr.wd. \'K.1.."\'v... all=, mel misrca.!l~=o:nt.\n\n     Th.s   ~~         the LI"..!u.il of m ~ent \'H the: ~gths "IIOi l"eQk.\'!.dSSe:s of It,e OIDCe. ~1..\n11 fun.:t1on IlIiIkr :.:\'01"". I! U ~ an intr;r....,,,,cs ...~Ih CIn!, :teC!.Ill<! llffi.;:tal:! of :-eiooV3!l\':\n1.!!=ie:I :Ill!:! tnsUlllltUl:!.. di=t c~r;\'iIliOil. ad a ",~;......\' ,,{ !tpp\'lio:abl" ocwno=:c~\n\n      The =mm~1t! ~n nave ~.m .ievelop:d Oil :llol bost5 or tb~ CSI kiJo""~\n"v;lltmOle to the OIG. md hav.: nail dlscus."u Ul         =\n                                                        \'N1Ib ~ =oQSllnc fur\nimp~lIJdtlJlilln. It .s \'111 bo(:C t1    :Jk:sc <=lm~Il"ns will :.:.!W.t 1Il 1Jll1J\'C :ffil<:tl v;:,\n<:.mCli:nI., lll:iC\'oc e<:QIlmIll~ op:::.mOJl~\n\n\n\n\n                                                lJ\xc2\xb7h.t~~~\n                                                \\f;u-\'   w. Dud... \n\n                                                ~i,;=Iln:;Jlc~ror      GcDr:nl !br ... ~1l!I   \n\n\x0c                                            TABLE OF CONTENTS\n\n\n\nEXECUTIVE SUMMARY ................................................................................................ 2 \n\n\nBACKGROUND ................................................................................................................ 3 \n\n\nSCOPE AND METHODOLOGY ...................................................................................... 4 \n\n\nRESULTS ........................................................................................................................... 5 \n\n  Inventory Management ................................................................................................... 5 \n\n  Plan of Action and Milestones Process ........................................................................... 6 \n\n  Certification and Accreditation ....................................................................................... 8 \n\n  Privacy ............................................................................................................................ 9\n\n  Configuration Management .......................................................................................... 10 \n\n  Incident Reporting ........................................................................................................ 11 \n\n  Security Awareness Training, Peer-to-Peer File Sharing ............................................. 13 \n\n\nRECOMMENDATIONS .................................................................................................. 16 \n\n\nAPPENDIX A \xe2\x80\x93 MANAGEMENT RESPONSE ............................................................. 17 \n\n\x0c                                        UNCLASSIFIED \n\n\n\nEXECUTIVE SUMMARY\n\n        In response to the Federal Information Security Management Act of 2002\n(FISMA), 1 the Office of Inspector General (OIG) performed an independent evaluation\nof the information security program at the Broadcasting Board of Governors (BBG).\nOIG reviewed BBG\xe2\x80\x99s progress in addressing information management and information\nsecurity program requirements per FISMA and other statutory requirements, including\nOffice of Management and Budget (OMB) guidance. The OIG team assessed\nperformance in various areas, including inventory, plan of action and milestones\n(POA&M), certification and accreditation (C&A), security planning, contingency\nplanning, risk management, incident response, security awareness and training,\nconfiguration management, and privacy requirements.\n\n        OIG could not perform an assessment of the adequacy of BBG\xe2\x80\x99s oversight and\nevaluation for 13 of its 14 identified systems because BBG had not conducted all aspects\nof a formal security program during FY 2008. Therefore, BBG could not provide the\nsupporting documentation that would have been available for this FISMA review. As a\nresult, BBG\xe2\x80\x99s overall assessment is poor, with improvements needed in several areas.\nOIG has, however, noted instances where improvements have been made since the FY\n2007 review.\n\n        Since last year, BBG has completed one POA&M and C&A for its largest system:\nCentral Infrastructure Domain. OIG\xe2\x80\x99s review of the supporting documentation\ndemonstrated a thorough performance and compliance with security controls for this\nsystem. BBG has appointed a Privacy Officer to address the agency\xe2\x80\x99s privacy\nresponsibilities. Further, BBG has developed an online training program for its\nemployees using a customized application. The training content for the online course is\ndeveloped by the Chief Information Security Officer (CISO) per statutory requirements\nand is revised as needed to address current hot topics.\n\n      While improvements have been made, OIG identified controls needing further\nenhancements. Specifically, the Broadcasting Board of Governors should ensure that\n\n       \xe2\x80\xa2\t a formal procedure for inventory identification and management is developed,\n          documented, and implemented; and should include the process for identifying all\n          changes to the inventory, including additions, retirements, and realignments of\n          information systems;\n       \xe2\x80\xa2\t all required POA&Ms are completed for all major information systems;\n       \xe2\x80\xa2\t milestone completion dates and changes to milestone data are accurate in each\n          POA&M;\n       \xe2\x80\xa2\t C&A is performed and completed for all FISMA reportable information systems;\n       \xe2\x80\xa2\t the security incident response plan is updated to include policy on safeguarding\n          and responding to breaches related to personally identifiable information;\n\n1\n    44 U.S.C. \xc2\xa7 3545 et seq.\n       OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG   2\n                                      UNCLASSIFIED \n\n\x0c                                       UNCLASSIFIED \n\n\n\n    \xe2\x80\xa2\t a configuration management policy is developed that incorporates controls found\n       in National Institute of Standards and Technology Special Pulication 800-53,\n       including configuration management controls 1 through 8;\n    \xe2\x80\xa2\t complete and cirrent systems security plans for each of its systems are developed\n       and maintained; and\n    \xe2\x80\xa2\t written policies to staff are established and disseminated, consistent with the four\n       phases of an incident response program described in NIST SP 800-61, on\n       handling and reporting security incidents to include, at a minimum, common\n       types of security incidents, breaches of personally identifiable information,\n       incident reporting timeframes, guidance for prioritizing incidents, and required\n       post-incident activity.\n\nBACKGROUND\n\n        Section 3545 of FISMA directs each agency to conduct an annual independent\nevaluation of its information security program and practices. FISMA provides a\ncomprehensive framework for establishing and ensuring the effectiveness of operational,\ntechnical, and management controls over information technology (IT) that supports\nfederal operations and assets. FISMA also provides a mechanism for improved oversight\nof federal agency information security programs. OMB Memorandum M-08-21, 2 issued\nJuly 14, 2008, contained guidance to assist OIGs with reporting FISMA performance\nmetrics.\n\n        Section 3544(b) of FISMA requires that agencies develop, document, and\nimplement an agency-wide information security program. As part of that program,\nsection 3544(b)(6) requires that the CIO develop a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB\nMemorandum M-04-25, 3 dated August 23, 2004, discusses the POA&M requirements for\nfederal agencies, which include identifying tasks that need to be accomplished, the\nresources that are required to accomplish the elements of the POA&M, the milestones to\nmeet the task, and scheduled milestone completion dates. The memorandum includes a\nspreadsheet to be used as a model to develop POA&Ms, including details such as the\nspecific identified weakness, point of contact, resources required, scheduled completion\ndate, milestones with attendant completion dates, changes in milestones, identification of\nweakness, and status. National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53 4 lists the security controls that system owners should implement\nfor their systems, depending on applicability to the system. The annual C&A process\n\n\n\n\n2\n  OMB Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal Information Security \n\nManagement Act and Agency Privacy Management, July 14, 2008. \n\n3\n  OMB Memorandum M-04-25, Memorandum for Heads of Executive Department and Agencies, August \n\n23, 2004.\n\n4\n  NIST SP 800-53, Recommended Security Controls for Federal Information Systems, December 2006. \n\n      3 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n                                  UNCLASSIFIED \n\n\x0c                                         UNCLASSIFIED \n\n\n\nrequired by NIST SP 800-37 5 identifies security control weaknesses requiring\nremediation.\n\nSCOPE AND METHODOLOGY\n\n        The OIG team consisted of staff with the OIG Office of Audits and the audit\nservices firm of Regis & Associates, PC. References to the work conducted for this\nevaluation by OIG refer to this team. To perform the FISMA evaluation, OIG researched\nfederal laws, regulations, and guidance to identify relevant criteria for implementing and\nmanaging information security programs. To identify prior issues and to follow up on\npast recommendations, OIG also reviewed previous reports that evaluated BBG\xe2\x80\x99s\ninformation security and privacy programs. OIG reviewed documents provided by BBG\nofficials regarding systems inventory, C&A, POA&Ms, standard operating procedures,\nprocess guides, and training. OIG\xe2\x80\x99s analysis was based on information and\ndocumentation for the period ending the third quarter of FY 2008 to allow sufficient time\nfor analysis and verification by the team. OIG included all 14 systems that BBG had\ncategorized as moderate and low-impact level systems as its subset sample for this year\xe2\x80\x99s\nFISMA review. BBG does not have any systems categorized as high-impact level. BBG,\nhowever, has only completed the lifecycle process for one system. Therefore, OIG\nperformed its review of BBG\xe2\x80\x99s inventory, contingency plans and annual testing, C&A,\nPOA&M, privacy, and configuration management processes using documentation for this\none system: the Central Infrastructure Domain system.\n\n        OIG met with BBG officials to discuss roles and responsibilities for implementing\nand managing information security programs for its networks. OIG met with the CISO to\ngather updates on C&A, configuration management, the POA&M process, and security\nawareness training. OIG held discussions with system owners to gather additional\ninformation on BBG\xe2\x80\x99s incident response procedures and BBG\xe2\x80\x99s configuration\nmanagement process. In addition, OIG met with the Privacy Officer to gather\ninformation on efforts to protect personally identifiable information (PII). OIG held\ndiscussions with officials from OMB about expectations for government-wide\ncompliance with Federal Desktop Core Configuration (FDCC) requirements.\n\n       The results of OIG\xe2\x80\x99s review are discussed below. OIG\xe2\x80\x99s Office of Audits\nconducted its fieldwork for this review from June 20 to August 29, 2008. A draft of this\nreport was provided to BBG officials for their management review and comment, and all\napplicable comments were considered and incorporated into this final report.\n\n        In its October 10, 2008, formal response, BBG officials concurred with all of the\nrecommendations made by OIG in this report (see Appendix A). OIG will follow-up on\ncorrective actions taken, planned, or underway by BBG during its compliance analysis\nreviews to determine resolution of each recommendation. Comments or questions about\nthe report may be directed to Karen Bell, Deputy Assistant Inspector General for Audits,\nat bellk@state.gov or by telephone at 703-284-2604.\n5\n NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems,\nMay 2004.\n     OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG          4\n                                       UNCLASSIFIED \n\n\x0c                                          UNCLASSIFIED \n\n\n\nRESULTS\n\n        OIG could not perform an assessment of the adequacy of BBG\xe2\x80\x99s oversight and\nevaluation for 13 of its 14 identified systems because BBG had not conducted all aspects\nof a formal security program during FY 2008. Therefore, BBG could not provide the\nsupporting documentation that would have been available for this FISMA review. As a\nresult, BBG\xe2\x80\x99s overall assessment is poor, with improvements needed in several areas.\nOIG has, however, noted instances where improvements have been made since the FY\n2007 review.\n\nInventory Management\n\n       The management and identification of the information systems inventory items is\nhandled by staff within BBG\xe2\x80\x99s International Bureau of Broadcasting (IBB), including\nthose systems that are defined as major information systems in accordance with Federal\nInformation Processing Standards (FIPS) Publication 199. 6 BBG captures and tracks its\ninventory in one central repository, called the \xe2\x80\x9cMulti-user Information Security Forms\nInspection Tool.\xe2\x80\x9d This is a web-based inventory system, which also tracks\nimplementation of NIST 800-53 7 controls and details the C&A processes.\n\n        OIG met with BBG officials to obtain an understanding of their methodology and\napproach for defining BBG\xe2\x80\x99s FISMA-reportable inventory. According to BBG\nmanagement the guidelines defined in NIST SP 800-37 8 are the processes it uses for\nidentifying and managing FISMA reportable major information systems and thus BBG\ntherefore did not develop its own written process. BBG management further explained\nthat the system owners and the four members of the CIO staff are in continuous (often\ndaily) communication with each other. For these reasons, BBG officials determined that\nno additional written internal policy or procedures were necessary.\n\n       Some of BBG\xe2\x80\x99s major information systems ride on the general support systems\n(GSS) 9 for internal communications. The BBG Central Infrastructure Domain, Central\nServices Domain, Central Extranet Domain, Central BBG Domain, and Cuba\nBroadcasting Headquarters Network (Cuba HQ) are all GSS. The Central Infrastructure\nDomain provides the link and routing layers, as well as what BBG refers to as the\nnetwork \xe2\x80\x9cglue services\xe2\x80\x9d (e.g., Domain Naming System) for the entire agency internet\n(BBG\xe2\x80\x99s network of interconnected IP networks, not to be confused with the public\n\n6\n  FIPS Publication 199, Standards for Security Categorization of Federal Information and Information\n\nSystems, February 2004. \n\n7\n  NIST SP 800-53, revision 1, Recommended Security Controls for Federal Information Systems, \n\nDecember 2006. \n\n8\n  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, \n\nMay 2004. \n\n9\n  A general support system is an interconnected set of information resources under the same direct \n\nmanagement control that share common functionality. It normally includes hardware, software, \n\ninformation, data, applications, communications, and people. Sources: NIST SP 800-53 and OMB Circular \n\nA-130, Appendix III.\n\n      5 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n\n                                  UNCLASSIFIED \n\n\x0c                                       UNCLASSIFIED \n\n\n\nInternet). The four other general support systems use the services of the Central\nInfrastructure Domain but are enumerated separately for the purposes of FISMA and\nOMB Circular A-130 10 criteria for setting accreditation boundaries described in NIST SP\n800-37.\n\n        Currently, BBG has identified 14 major FISMA-reportable systems that comprise\nten agency and four contractor-owned and/or operated major information systems. These\nten BBG-owned major information systems include the following: the five GSS systems\npreviously listed, the Integrated Digital Audio Production System (IDAPS), the Video\nProduction System, the Master Control Automation System, the Cuba Broadcasting\nPublic Internet Website, and Security Credentialing System. The four contractor-owned\nand/or operated major information systems include the following: the Public Internet\nWebsite, the Public Internet Media Streaming Site, the BBG Public Internet Mail\nDistribution Lists, and the VOA Public Internet Mail Distribution Lists.\n\n        Based on information from BBG management, OIG determined that BBG\xe2\x80\x99s\nmethodology of identifying major information systems in accordance with NIST SP 800-\n37 is a reasonable starting point; however, its process is not documented to formalize and\ndescribe roles and responsibilities. A documented inventory process will enable BBG to\nensure a continuous process is in place with adequate management oversight.\n\nRecommendation 1: The Broadcasting Board of Governors should develop, document,\nand implement a formal procedure for inventory identification and management. This\nprocedure should include the process for identifying all changes to the inventory,\nincluding additions, retirements, and realignments of information systems.\n\nPlan of Action and Milestones Process\n\n        As reported last year and again for FY 2008, BBG has not developed or\nimplemented formal written processes, policies, or procedures to sufficiently address risk\nmanagement as part of its POA&M program. BBG officials stated that doing so would\nnot necessarily contribute to protecting their information systems, and that the existence\nof such policies is not required by statute. OIG reviewed applicable statutes and\nregulations and agreed that BBG was not technically required to develop and implement\nwritten processes, policies, and procedures. However, OIG\xe2\x80\x99s interpretation of the\napplicable statutes and regulations places the onus on BBG to document and formalize its\nPOA&M process in order to meet the intent of relevant OMB and NIST guidance. 11 This\nguidance states that agencies should use the POA&M process as a management tool for\nidentifying and tracking remedial actions. According to OMB Memorandum M-04-25,\nthe POA&M process is designed to resolve IT security control weaknesses with\nprioritization to ensure vulnerabilities are addressed in a timely and cost-effective\nmanner. Without an effective POA&M process, security control weaknesses may result\n\n\n10\n  OMB Circular A-130, Management of Federal Information Resources, November 28, 2000. \n\n11\n  NIST SP 800-100, Information Security Handbook: A Guide for Managers, October 2006, and NIST SP \n\n800-37. \n\n     OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG     6\n                                     UNCLASSIFIED \n\n\x0c                                        UNCLASSIFIED \n\n\n\nin the unauthorized access, use, disruption, disclosure, modification, or destruction of\ninformation.\n\n        BBG\xe2\x80\x99s POA&M process was not fully implemented for FY 2008. Specifically,\nBBG had completed a POA&M for only one of its reported 14 systems, the Central\nInfrastructure Domain system. The POA&M reflected action items needed to address 41\nsecurity control categories mandated by OMB and NIST guidance. 12 Agencies\ncategorize their systems according to FIPS 199 standards to determine which NIST SP\n800-53 controls are required.\n\n       OIG included all 14 reported systems as part of its subset sample for performing\nan analysis of BBG\xe2\x80\x99s POA&M process. Although OIG cannot draw conclusions about\nthe universe of BBG systems based on the sole POA&M BBG completed in FY 2008, it\ncan summarize its review results for the available POA&M: the Central Infrastructure\nDomain, a GSS which is connected to the other reported systems. The POA&M\naddressed all known security weaknesses for the Central Infrastructure Domain system\nthrough testing the security-control categories. The POA&M included OIG findings\nwhere applicable, which were prioritized for timely and appropriate measures. However,\nBBG has not addressed known weaknesses for the remaining 13 systems. During the FY\n2007 FISMA review, BBG provided OIG with 13 POA&Ms, which OIG reviewed at that\ntime. For the current year\xe2\x80\x99s review, BBG did not provide POA&Ms for 13 systems\nbecause officials stated that they were outdated and would change based upon the newly\nmandated FDCC requirements. OIG found that BBG\xe2\x80\x99s CIO centrally tracks the POA&M\nthat BBG developed for the one system and reviewed it on a regular basis.\n\n        OIG discussed the Central Infrastructure Domain POA&M with the BBG CISO\nand other BBG officials. OIG compared it with the POA&M for the same system\nreviewed during the prior year and found that the current POA&M was more complete\nand contained detailed information for more action items. 13 The POA&M from the prior\nyear, while listing many more action items, did not include detailed information for each\naction item, such as scheduled completion dates, milestones and completion dates,\nmilestone changes, and resources required. Both POA&Ms listed the status of action\nitems as ongoing and identified whether the items had been identified during a Chief\nFinancial Officer audit or other external review. The current POA&M was well written\nand closely followed the guidance issued in OMB Memorandum M-08-21. 14 The\nPOA&M addressed weaknesses in 41 security control categories from NIST SP 800-53.\nIn addition, for the most part, the POA&M included information for points of contact,\nmonetary resources required to complete POA&M action items, scheduled completion\ndates, milestones and completion dates, milestone changes, how the weakness was\nidentified, and its status. The plan was only remiss in that some of the milestone\n\n12\n   FISMA directed NIST to develop standards to categorize all information and systems, which NIST\n\npublished in Federal Information Processing Standards 199. OMB reiterated this in its guidance, \n\nMemorandum M-08-21, dated July 14, 2008. \n\n13\n   The current POA&M included 41 NIST SP-800-53 security controls, whereas the POA&M from the \n\nprior year assessed only 32, but included much more detailed information.\n\n14\n   OMB Memorandum M-08-21. \n\n      7 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n\n                                  UNCLASSIFIED \n\n\x0c                                     UNCLASSIFIED \n\n\n\ncompletion dates and milestone changes data were incomplete. OIG advised BBG\nofficials of these omissions and encouraged them to consistently include such\ninformation so as to better manage the POA&M process in the future.\n\nRecommendation 2: The Broadcasting Board of Governors should ensure that all\nrequired plans of action and milestones are completed for all major information systems.\n\nRecommendation 3: The Broadcasting Board of Governors should ensure that\nmilestone completion dates and changes to milestone data are accurate in each plan of\naction and milestones.\n\nCertification and Accreditation\n\n        Significant improvements are needed for the C&A process, in which OIG\nconcludes BBG is currently failing. Each of the 14 reported systems were due for C&A\nduring FY 2008; however, BBG had completed C&A for only one system: Central\nInfrastructure Domain. According to the CISO, the other 13 systems did not undergo the\nrequired C&A because of limited resources. As such, BBG management focused their\ntime and attention to their largest major information system, the Central Infrastructure\nDomain.\n        Standards and guidance for performing C&A is contained within NIST SP 800-37\nand NIST SP 800-53, revision 1. As stated within the guidance, security certification and\naccreditation are closely related and, at the same time distinct, activities. Officials must\nbe able to determine the risk to operations, assets, or individuals and the acceptability of\nsuch risk given the mission or business needs of their agencies. Officials must weigh the\nappropriate factors and decide to either accept or reject the risk to their respective\nagencies. Security certification supports security accreditation by providing authorizing\nofficials with information necessary to make credible, risk-based decisions about whether\nto place new information systems into operation or to continue using the current systems.\nSecurity accreditation includes the acceptance and management of risk\xe2\x80\x94the risk to\nagency operations, agency assets, or individuals that results from the operation of an\ninformation system.\n\n        OIG reviewed the one completed C&A package for the Central Infrastructure\nDomain to identify, certify, and accredit security controls. With two apparent exceptions,\nOIG found the C&A package to be thorough and complete in accordance with standards.\nThe package, however, seemed to be missing the privacy impact assessment (PIA) and\nthe certification test plan. In follow-up meetings with BBG officials, however, the OIG\nlearned that the PIA was not required because the system did not collect, maintain, or\nshare PII, while the requirement for the certification test plan had been fully satisfied\nwith an annual test performed in FY 2008.\n\n       Annual testing for the Central Infrastructure Domain system security controls was\ncompleted during FY 2008 and resulted in satisfactory results except for five sampled\ncontrols. The NIST SP 800-53 security controls that failed are as follows: Access\nControls AC-04 and AC\xe2\x80\x9307 that relate to Information Flow Enforcement and\n\n    OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n 8\n                                   UNCLASSIFIED \n\n\x0c                                     UNCLASSIFIED \n\n\n\nUnsuccessful Login Attempts, respectively; System and Communication Protection\ncontrols SC\xe2\x80\x9304 and SC-07 as they relate to sharing of Information Remnants and\nBoundary Protection, respectively; and control IA-2 \xe2\x80\x93 Identification and Authentication\nas it relates to User Identification and Authentication. In OIG\xe2\x80\x99s estimation, these\nexceptions are minimal and do not affect the overall results of the annual test, given that\nother access, identification, authorization, system, and communication-protection\ncontrols were tested successfully. The Contingency Plan for this system was also\nsuccessfully tested and updated during FY 2008.\n\nRecommendation 4: The Broadcasting Board of Governors should conduct certification\nand accreditation testing on the remaining 13 major information systems and bring these\nsystems into compliance with statutory requirements.\n\nPrivacy\n\n       BBG has made progress since last year in addressing its privacy responsibilities\nby assigning a Privacy Officer, issuing some of the required privacy policies, and\nperforming PIAs for one of its information systems. BBG also improved posting Privacy\nAct information on its website.\n\n        Federal privacy guidance is described in Section 208 of the E-Government Act of\n2002, OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions\nof the E-Government Act of 2002, and OMB Memorandum M-07-16, Safeguarding\nAgainst and Responding to the Breach of Personally Identifiable Information. Per the E-\nGovernment Act of 2002, agencies are required to conduct PIAs for electronic\ninformation systems and information collection and make the assessments publicly\navailable. Further, the agency must post privacy policies on agency websites and\ntranslate privacy policies into a standardized machine-readable format. OMB\nMemorandum M-03-22 provides additional guidance to the agencies and directs them to\nconduct reviews of how information about individuals is handled within agencies when\nthey use electronic means to collect new information or when agencies develop or buy\nnew systems to handle collections of PII. OMB Memorandum M-07-16 reemphasizes the\nresponsibilities under existing law, executive orders, regulations, and policies to assist\nagencies to appropriately safeguard PII and to train employees about their responsibilities in\nthis area. Threshold analyses are used as a good management tool for each agency\xe2\x80\x99s\nprivacy initiatives.\n\n         BBG updated its website to include internet privacy policy and reports to address\nOMB Memorandum M-03-22 requirements. The BBG Internet Privacy Policy webpage\nstates that the agency collects no personal information when the public visits the website\nunless the public chooses to provide that information voluntarily. BBG also added a\nPrivacy Reports webpage, which includes links to its System of Records Notice and to\nthe PIA for the Momentum Financials System, which was prepared by BBG because this\nis its outsourced financial management system and it contained contractor privacy\ninformation.\n\n\n     9 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n\n                                 UNCLASSIFIED \n\n\x0c                                     UNCLASSIFIED \n\n\n\n       BBG also made progress in implementing the provisions of OMB Memorandum\nM-07-16 by issuing four policies and two implementation plans. The four policies are as\nfollows: (1) privacy awareness training, (2) privacy breach notification, (3) BBG rules of\nbehavior for safeguarding PII, and (4) PIA. The implementation plans address (1)\neliminating unnecessary use of social security numbers and (2) reviewing and reducing\nthe volume of PII. BBG officials did not indicate when the implementation plans will be\ndisseminated to staff.\n\n        OMB Memorandum M-07-16 also requires each agency to develop and\nimplement a breach notification policy within 120 days of its issue date of May 22, 2007.\nBBG did not issue its Privacy Breach Notification Policy until July 14, 2008, and it still\nhas not updated its Information Security Incident Response Plan to reference the new\npolicy.\n\n       BBG completed privacy threshold analyses for five of its 14 information systems:\nthe Central Infrastructure Domain; the Central BBG Domain, the Central Extranet\nDomain, the IDAPS Audio Production System, and the Video Production System. The\nanalyses concluded that PIAs were not required for the five systems. According to\nBBG\xe2\x80\x99s Senior Agency Official for Privacy, BBG did not perform threshold analyses or\nPIAs on the remaining systems because the systems were not newly acquired or modified\nduring the year, as provided for by OMB Memorandum M-03-22.\n\nRecommendation 5: The Broadcasting Board of Governors should update its\nInformation Security Incident Response Plan to reflect the Privacy Breach Notification\nPolicy with regard to safeguarding against and responding to personally identifiable\ninformation breaches per Office of Management and Budget Memorandum M-07-16.\n\nConfiguration Management\n\n        BBG has not issued an adequate configuration management (CM) policy. CM\ncontrols provide reasonable assurance that changes to information system resources are\nauthorized and systems are configured and operated securely and as intended. This\nincludes the following: policies, plans, and procedures; current configuration\nidentification information; proper authorization, testing, approval, and tracking of all\nconfiguration changes; routine monitoring of the configuration; and software updates on\na timely basis to protect against known vulnerabilities.\n\n        In FY 2008, all 14 of BBG\xe2\x80\x99s systems were required to have a C&A, but only one\nwas completed: the Central Infrastructure Domain. OIG selected this system for review\nand applied NIST 800-53, revision 1, standards to determine whether BBG\xe2\x80\x99s\ndocumentation was in compliance. BBG provided OIG with its IT Change Management\nPolicy as evidence of an agency-wide security configuration management policy. While\nthe Change Management Policy incorporates several key components of CM standards, it\nlacks others such as common security configuration procedures for all types of systems\nand workstations and detailed change control procedures.\n\n\n    OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n 10\n                                   UNCLASSIFIED \n\n\x0c                                      UNCLASSIFIED \n\n\n\nRecommendation 6: The Broadcasting Board of Governors should develop a\nconfiguration management policy that incorporates controls found in National Institute of\nStandards and Technology Special Publication 800-53, including configuration\nmanagement controls 1 through 8.\n\nFederal Desktop Core Configuration (FDCC):\n\n        OMB Memorandum M-07-11 15 requires agencies to adopt FDCC standards.\nSpecifically, these standards require agencies to adopt standardized security\nconfigurations for desktops when using Microsoft Windows XP and Vista operating\nsystems. BBG\xe2\x80\x99s workstations currently use the Windows 2000 operating system;\ntherefore, this requirement currently is not applicable. BBG management has indicated it\nwill be transitioning to Windows XP within the next year and, at that time, it will be\nimplementing FDCC compliance requirements.\n\nIncident Reporting\n\n        BBG\xe2\x80\x99s security incident reporting program requires further improvement.\nSpecifically, BBG has not updated its information security incident response plan to\nidentify common types of security events that require reporting. It also does not include\ninformation on potential PII breaches, guidance on prioritizing security events, and\ndissemination of incident reporting procedures.\n\n        FISMA requires agencies to establish procedures for detecting, reporting, and\nresponding to security incidents. NIST SP 800-61 provides guidance to agencies on\nestablishing an effective incident response program. The guidance focuses on four\nphases: (1) preparation, (2) detection and analysis, (3) containment/eradication/recovery,\nand (4) post-incident activity. Because events can occur in numerous ways, it is\nimportant for officials to develop comprehensive procedures with step-by-step\ninstructions for handing every event, especially common types of events. OMB requires\nagencies to develop system security plans (SSP). 16 The SSP is an overview of the\nsecurity requirements of the system and describes the controls in place\xe2\x80\x94or planned\xe2\x80\x94to\nmeet those requirements. The plan also delineates the responsibilities and expected\nbehavior for all individuals who access the system. The system security is organized into\nthree general classes of security controls: management, operational, and technical.\nIncident reporting is part of the operational security controls.\n\n        OIG identified several areas that require improvement by BBG. For example,\nBBG stated in its current information security incident response plan, dated June 7, 2004,\nthat system owners or designated individuals responsible for information security are to\nbe identified in the SSP and that system users should report any security incident through\nreporting channels established by the system owners or designated individuals. However,\nbased on its review, OIG found that only one of the 14 systems has an SSP. The\n\n15\n   OMB Memorandum M-07-11, Implementation of Commonly Accepted Security Configuration for \n\nWindows Operating Systems, March 2007. \n\n16\n   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources. \n\n     11 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n\n                                  UNCLASSIFIED \n\n\x0c                                          UNCLASSIFIED \n\n\n\ninformation security incident response plan has not been updated and still states that the\nidentity of system owners is found in the SSP. The identity of system owners is located\non BBG\xe2\x80\x99s Intranet website, yet the Intranet address has not been included in the incident\nresponse plan. Further, BBG\xe2\x80\x99s information security incident response plan states that\nsystem owners or designated individuals should exercise good judgment and common\nsense when evaluating and reporting security incidents, but it does not provide examples\nto assist in making these determinations.\n\n        To ensure proper handling and reporting of security events throughout the agency,\nOIG believes that BBG should provide more information to its system owners and\ndesignated individuals, including common types of security events, potential PII\nbreaches, reporting timeframes, and guidance for prioritizing events. In addition, the\ncontact information pertaining to internal and external groups, such as human resources,\nlegal, other incident response teams, and law enforcement entities, should be included in\nthe security incident response plan to facilitate communication. For example, the\ninformation security incident response plan states that if an incident involves deliberate\nactivity by a user, one or more additional reports should be filed with the Offices of\nPersonnel, Contracts, or Security. However, specific contact information is not provided\nin the information security incident reporting plan. By having information readily\navailable, the amount of time spent by staff locating pertinent information may be\nreduced, thereby ensuring sufficient time for analyzing and properly reporting relevant\nsecurity events.\n\n        Additionally, BBG\xe2\x80\x99s information security incident response plan does not address\npost-incident procedures, which involves identifying lessons learned, assessing the\neffectiveness of the incident reporting process, and identifying improvements in security\ncontrols and practices. For example, BBG had a security incident on July 22, 2008, that\ninvolved malicious code injected in its server database. The incident was discovered by\nemployees and reported to a member of the Office of Engineering (E/II) technical staff.\nThe incident was escalated through the reporting channels in E/II to the technical services\nteam leader and then to the head E/II, who reported the incident via email to the CISO.\nThe CISO determined that the incident should have been referred to the United States\nComputer Emergency Readiness Team (US-CERT) 17 because it met the US-CERT\nfederal agency reporting guidelines for a category 3 incident involving malicious code.\nThe incident 18 was forwarded by the CISO to US-CERT on July 22, 2008, and the code\non the affected server was corrected by the appropriate officials.\n\n         Further, actions taken by BBG officials for this security incident contained the\nfirst three phases of the incident response process; however, the fourth phase of the\nprocess\xe2\x80\x94post incident procedures\xe2\x80\x94was not fully performed. The fourth phase requires\n\n17\n   The US-CERT is a partnership between the Department of Homeland Security and the public and private\nsectors to protect the nation\'s Internet infrastructure. US-CERT coordinates defense against and responses\nto cyber attacks across the nation. US-CERT is responsible for 1) analyzing and reducing cyber threats and\nvulnerabilities, 2) disseminating cyber threat warning information, and 3) coordinating incident response\nactivities.\n18\n   Report No. 2008-US-CERTv33F1P7D.\n     OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG           12\n                                        UNCLASSIFIED \n\n\x0c                                     UNCLASSIFIED \n\n\n\nthat BBG develop lessons learned, assess the incident reporting process, and improve\nsecurity controls as needed. Lessons learned and other data gathered from each incident\ncan be used to identify systemic security weaknesses and deficiencies in policies and\nprocedures. Although the malicious code was eliminated from the server and officials are\ncurrently rewriting code for other vulnerable coding scripts, BBG officials did not\ndevelop information regarding improving the security controls that would prevent either\nintentional or accidental changes to code. Lessons learned and other data gathered from\neach incident can be used to identify systemic security weaknesses and deficiencies in\npolicies and procedures.\n\n        During its review, OIG received mixed responses from system owners about their\nunderstanding of the incident reporting process, as well as their grasp of their individual\nresponsibility to report information security incidents. For example, several system\nowners indicated that all incident reporting procedures had been consolidated and\npublished on the BBG Intranet website. However, another system owner informed OIG\nthat there are no written procedures regarding incident reporting for the system but that\nusers inform the system owner of any known problems. A third system owner stated that\nincident reporting requirements are separated within two procedures that differ for\nunprivileged and privileged users. Unprivileged users report incidents to the help desk,\nwhile privileged users report incidents to their system managers. OIG believes that\ninconsistencies in reporting and handling security incidents throughout the agency could\nhamper BBG\xe2\x80\x99s ability to effectively manage its information systems.\n\nRecommendation 7: The Broadcasting Board of Governors should develop and\nmaintain complete and current systems security plans for each of its systems.\n\nRecommendation 8: The Broadcasting Board of Governors should establish and\ndisseminate written policies\xe2\x80\x94consistent with the four phases of an incident response\nprogram described in NIST SP 800-61\xe2\x80\x94to staff that explain the proper handling and\nreporting of security incidents. This should include, at a minimum, common types of\nsecurity incidents, breaches of personally identifiable information, incident reporting\ntimeframes, guidance for prioritizing incidents, and required post-incident procedures.\n\nSecurity Awareness Training, Peer-to-Peer File Sharing\n\n        BBG has made some progress in administering security awareness training to its\nemployees. This includes developing an online training program for its employees using\na customized application named \xe2\x80\x9cMoodle.\xe2\x80\x9d The training content for the online computer\nsecurity course is developed by the CISO per statutory requirements, and it is revised as\nneeded to address hot topics. The current training content includes discussions on\ncomputer risks and vulnerabilities, disclosure of personal information, malicious\nsoftware, and the protection of sensitive information. However, policies regarding the\nuse of collaborative web technologies and peer-to-peer file sharing were not part of the\nawareness training provided to employees as required by OMB Memorandum M-08-21.\nPrivacy matters are covered separately within another training course developed by\nBBG\xe2\x80\x99s Privacy Officer. The privacy training material covers system users\xe2\x80\x99\n\n    13 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n\n                                 UNCLASSIFIED \n\n\x0c                                     UNCLASSIFIED \n\n\n\nresponsibilities, general privacy principles, and regulatory guidance. As of August 2008,\n1,757 (approximately 51 percent) of 3,460 BBG employees had received certificates for\nthe online awareness courses\xe2\x80\x94computer security and privacy.\n\n        Security awareness training is being administered to BBG employees with system\naccess; however, BBG is not focusing on providing awareness, in any form, to those\nwithout system access. Per OMB Memorandum M-08-21, each agency should be\nproviding security awareness to all users\xe2\x80\x94those with and without system access\xe2\x80\x94as part\nof the agency\xe2\x80\x99s training efforts. BBG is not complying with this requirement, and it did\nnot have any plans to train non-system employees during the course of the FISMA\nreview. Further, BBG officials are not reviewing training records for duplication of\nentries. In documentation received, OIG noticed in several cases where the same\nemployee was reported more than once on the training records for the online security\nawareness training course. OIG brought this recordkeeping issue to the attention of BBG\nofficials, who indicated that steps will be put in place to address this matter.\n\n\n\n\n    OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n 14\n                                   UNCLASSIFIED \n\n\x0c                                 UNCLASSIFIED \n\n\n\n\n\n15 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n\n                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED \n\n\n\nRECOMMENDATIONS\n\nRecommendation 1: The Broadcasting Board of Governors should develop, document,\nand implement a formal procedure for inventory identification and management. This\nprocedure should include the process for identifying all changes to the inventory,\nincluding additions, retirements, and realignments of information systems.\n\nRecommendation 2: The Broadcasting Board of Governors should ensure that all\nrequired plans of action and milestones are completed for all major information systems.\n\nRecommendation 3: The Broadcasting Board of Governors should ensure that\nmilestone completion dates and changes to milestone data are accurate in each plan of\naction and milestones.\n\nRecommendation 4: The Broadcasting Board of Governors should conduct certification\nand accreditation testing on the remaining 13 major information systems and bring these\nsystems into compliance with statutory requirements.\n\nRecommendation 5: The Broadcasting Board of Governors should update its\nInformation Security Incident Response Plan to reflect the Privacy Breach Notification\nPolicy with regard to safeguarding against and responding to personally identifiable\ninformation breaches per Office of Management and Budget Memorandum M-07-16.\n\nRecommendation 6: The Broadcasting Board of Governors should develop a\nconfiguration management policy that incorporates controls found in National Institute of\nStandards and Technology Special Publication 800-53, including configuration\nmanagement controls 1 through 8.\n\nRecommendation 7: The Broadcasting Board of Governors should develop and\nmaintain complete and current systems security plans for each of its systems.\n\nRecommendation 8: The Broadcasting Board of Governors should establish and\ndisseminate written policies\xe2\x80\x94consistent with the four phases of an incident response\nprogram described in NIST SP 800-61\xe2\x80\x94to staff that explain the proper handling and\nreporting of security incidents. This should include, at a minimum, common types of\nsecurity incidents, breaches of personally identifiable information, incident reporting\ntimeframes, guidance for prioritizing incidents, and required post-incident procedures.\n\n\n\n\n    OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037\xc2\xa0Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n 16\n                                   UNCLASSIFIED \n\n\x0c                                            UNCLASSIFIED\n\n\n                 APPENDIX A \xe2\x80\x93 MANAGEMENT RESPONSE\n\n\n\n                 BROADCASTING BOARD OF GOVERNORS\n                 UNTfED STAlES OF AMERICA\n                 UNITED\n\n\n\n\n                                                         October 10, 2008\n\n\n\n            Mr. Mark Duda\n            Assistant Inspector General for Audits\n            Office of Inspector General\n            U.S. Department of State\n\n                 Me. Duda:\n            Dear Mr.\n\n            This is in response to your memorandwn\n                                        memorandum dated St:ptember 29, 2008, rCg<:lI"ding\n                                                                               rt:g;uding the OffiIX\n                                                                                              Office\n            ofInspector\n            of Inspector General Fiscal Year 2008 Federal Information Security Management Act\n            (FISMA) Reporting Template for the Broadcasting Board of Governors (BBG(BBG). ).\n\n            We appreciate the opportunity\n                               opporttmity to respond 10\n                                                      to the Office of In spector Genera\n                                                                       Inspector  Generall \'s FISMA\n            evaluation of the Broadcasting Board ofGov   emors \' ( BBG) inf\n                                                  ofGovemors                 ormation security program\n                                                                          information\n                practices..\n            and practices\n\n            We concur with th thee eight recommendations in the report. If yo\n                                                                           youu ha ve any questions,\n                                                                                 have\n            please feel free to contact Ms. Renee Tyrance-Gauff, International Broadcasting Bureau\n            (lBB)\n            (IBB) Chief o f Analysis and Administration Division, at (202) 203-4664         Me. Vince\n                                                                              203-4664,, or Mr.\n            Nowicki,, IBB Direc\n            Nowicki         Director\n                                   tor for Eng ineering & Technical Services, at (202) 382-7300.\n                                           Engineering\n\n                                                         S\'S\'"?J\n                                                             ;/Jy,Y\'\n                                                         ;:,lfr1f--\n                                                         t.tfr1f--\n                                                         Executive Director\n                                                                   Di.re<::tor\n\n\n\n\n3JO\n3."JJ INUEI\'I!ND\xc2\xa3!IiCEAVENUE,\n      INDEI\'ENDENCEAVENUE, SW   ROOM 3360\n                                     l360         RWIDING\n                                            COHEN RmInING     WASHJNGlDN, OC\n                                                              WASJ{lNG"roN, DC 00237\n                                                                               20237   (202) 203-f5oI5\n                                                                                             2Q3..6I5\n\n\n\n\n 17 OIG\xc2\xa0Report\xc2\xa0No.\xc2\xa0AUD/IT\xe2\x80\x9008\xe2\x80\x9037 Review\xc2\xa0of\xc2\xa0the\xc2\xa0Information\xc2\xa0Security\xc2\xa0Program\xc2\xa0at\xc2\xa0the\xc2\xa0BBG\n                              UNCLASSIFIED\n\x0c:[G   ~r:!IIo.   .\'.:C --:- ~]6\xc2\xb7 r ~ro.w Jf :::Jot .n.\'lrr=DII ~l ?~\xc2\xa5..m ir"::l. aBC\n                             :" ..0.... _ 11\' -j;\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n         and resources hurts everyone.\n\n       Call the Office of Inspector General\n                    HOTLINE\n                   202-647-3320\n                or 1-800-409-9926\n         or e-mail oighotline@state.gov\n      to report illegal or wasteful activities.\n\n              You may also write to\n           Office of Inspector General\n            U.S. Department of State\n              Post Office Box 9778\n              Arlington, VA 22219\n           Please visit our Web site at:\n               http://oig.state.gov\n\n        Cables to the Inspector General\n       should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n           to ensure confidentiality.\n\x0c'